httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Johnson <>
Subject Re: [users@httpd] Able to view .htaccess and .htpasswd files via user-agent under default configuration (Apache 2.4, Win32)
Date Mon, 03 Dec 2012 23:01:55 GMT

On 12/3/2012 5:51 PM, Eric Covener wrote:
> What's in the <Location /> with require valid-user? That effectively
> replaces the <Files> w/ no AuthMerging.  If you're passing that check,
> the .ht* will be served.

Right you are, good sir! I would never have figured that out.

If I remove the contents of that <Location /> (see below), I am denied
access to the .ht* files.

<Location />
AuthType Basic
AuthName "Please Authenticate"
AuthBasicProvider dbd
Require valid-user
# mod_authn_dbd SQL query to authenticate a user.
AuthDBDUserPWQuery "SELECT CONCAT('{SHA}', `password`) FROM `web_user`
WHERE `username` = %s"

To where should these directives be moved to avoid this overwriting? To
the <Directory> block whose path matches the server's document root?



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message